Additional Conditions applicable to GDPR Representative Services
If a Customer accepts an offer, proposal or quotation on the basis of Privacy Valley’s Terms & Conditions that includes the appointment of Privacy Valley as the mandated Customer’s Representative pursuant to Article 27 GDPR, these Additional Conditions shall apply (“Representative Services”):
- In its capacity of Representative, Privacy Valley shall perform the tasks pursuant to Article 27 GDPR under the direct instructions and on behalf of the Customer. In particular, Privacy Valley shall undertake to:
- act as a point of contact between the Customer and a supervisory authority;
- facilitate the communication between data subjects and the Customer;
- receive and transmit any communication from a supervisory privacy authority or data subjects to the Customer;
- notify the Customer immediately, and in any case without undue delay, whenever an inquiry by a supervisory privacy authority or a data subject is received and always maintain the Customer updated about any further developments of such inquiries;
- after consultation with the Customer, respond as instructed to any questions or inquiries or demands from supervisory privacy authorities or data subjects, including, but not limited to, the exercise of the rights pursuant to articles 12-23 GDPR;
- inform the Customer immediately, and in any case without undue delay, whenever Privacy Valley becomes aware that any supervisory privacy authority has imposed or is likely to impose any sanction against the Customer or Privacy Valley in its capacity of representative, providing accurate and complete information thereto related;
- subject to any binding orders to provide information to legal or supervisory authorities, take reasonable measures to keep confidential all of Customers information which can reasonably deemed to be confidential information;
- keep themselves updated and informed on the GDPR and where relevant pass this information on to Customer;
- maintain records of processing activities according to art. 30 GDPR. Such records shall be based on information provided by Customer.
- The Customer shall:
- strictly comply with all the rules set out in the applicable data protection law and in the GDPR.
- provide the data subjects with accurate and updated information as to the identification of Privacy Valley in its capacity of Representative in the Union, as stated in Articles 13(1)a and 14(1)a GDPR;
- make available to Privacy Valley accurate and updated information to fulfil its obligations under this Agreement;
- reimburse Privacy Valley for all costs and expenses incurred in carrying out their obligations while fulfilling the Representative Services.
- The Customer shall fully and upon first request indemnify, defend and hold harmless Privacy Valley and its officers, directors, employees, partners, successors, and assigns (collectively “Indemnified Parties”) from and against any and all loss, expenses (including court costs and reasonable attorneys’ fees), damage, claims, demands, investigations, fines, or causes of action or allegations brought by a third party (including supervisory authorities) as a result of or in relation to Customers breach of its obligations pursuant to section 2 of these Additional Conditions.
- The Representative Services shall commence after Customer has provided Privacy Valley the written mandate to act as its representative and Privacy Valley has provided Customer with a written statement that it has satisfied itself that Customer is in material compliance of its obligations under section 2 above.
- Both parties shall have the right to terminate the Representative Services at any time upon one (1) month written notice to the other party.
- If a party is in material breach of any of its obligations hereunder, the other party may terminate the Representative Services by providing written notification of such breach in reasonable detail to the breaching party. In the event of an incurable breach the termination shall become effective immediately upon delivery of the notice to breaching party. In the event of a curable breach, the breaching party shall have seven (7) days to cure the breach after which, if the breach remains uncured, the termination shall become effective.
Version January 2021